-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User Agent Client Hints #202
Comments
/cc @miketaylr - who shown interest in the feature when we discussed it at ViewSource |
Hey @yoavweiss - sorry for the delay here. I've been having discussions with Tanvi and @martinthomson about the User Agents Hints proposal and here's some draft language that could maybe result in a position: DescriptionThe UA Hints proposal aims to solve the following problems associated with the User Agent (UA) string: UA sniffing, UA spoofing, and an entropy-rich target for fingerprinting. The proposal is to build on top of the Client Hints infrastructure and solve these problems over time. (Draft) Mozilla's PositionUsing Client Hints to deliver info derived from the User Agent header for servers who specifically request this information may reduce the number of parties that can use this information for passively fingerprinting users. However, we could reduce this even further by freezing the User Agent string and requiring resources to actively request this information via the proposed NavigatorUAData interface JS APIs. This would also allow us to audit the callers. At this time, freezing the User Agent string without any client hints—seems worth-prototyping. We look forward to learning from other vendors who implement the “GREASE-like UA Strings” proposal and its effects on site compatibility. Less formal version: We're very interested in the freezing UA string stuff and But I don't think the positive points change our position on Client HInts (which is currently "non-harmful"). @martinthomson could probably expound on that. |
Thanks, @miketaylr -- after double-checking with Martin, and reading @dbaron's comment above as not varying from the related Client Hints position, I'm closing this and adding your proposed text to the spreadsheet. |
Recent additions to the API increase the information that is made available to sites with insufficient justification. Other characteristics of the proposal have always been uncomfortable, but that change in particular pushes this proposal into being harmful. mozilla#552 lists other reasons in support of this conclusion. Our basic position remains unchanged: freezing the UA string is a good idea, but somewhat challenging (as others have found), providing a replacement that is only an alternative spelling is not useful and verges on harmful, deliberately adding fingerprinting information to the web is harmful. For mozilla#202. Closes mozilla#552.
* Update UA client hints to harmful Recent additions to the API increase the information that is made available to sites with insufficient justification. Other characteristics of the proposal have always been uncomfortable, but that change in particular pushes this proposal into being harmful. #552 lists other reasons in support of this conclusion. Our basic position remains unchanged: freezing the UA string is a good idea, but somewhat challenging (as others have found), providing a replacement that is only an alternative spelling is not useful and verges on harmful, deliberately adding fingerprinting information to the web is harmful. For #202. Closes #552. * Editorial tweak
Chromium has been shipping User Agent Client Hints for over a year now. I understand that you are skeptical about the |
https://bugzilla.mozilla.org/show_bug.cgi?id=1750143 tracks the implementation. I can't say anything about priority, but you can follow along there @BenjaminAster. |
* Update UA client hints to harmful Recent additions to the API increase the information that is made available to sites with insufficient justification. Other characteristics of the proposal have always been uncomfortable, but that change in particular pushes this proposal into being harmful. mozilla#552 lists other reasons in support of this conclusion. Our basic position remains unchanged: freezing the UA string is a good idea, but somewhat challenging (as others have found), providing a replacement that is only an alternative spelling is not useful and verges on harmful, deliberately adding fingerprinting information to the web is harmful. For mozilla#202. Closes mozilla#552. * Editorial tweak
Request for Mozilla Position on an Emerging Web Specification
Other information
The
User Agent
header that is being sent today on every request provides an excellent source of entropy that can be used to passively fingerprint users. It would be great if browsers could stop sending that information by default to all servers, regardless of whether those servers need it or not.The User Agent Client Hint proposal is destined to replace the
User Agent
header, to achieve the following:The above will enable browsers to keep track of servers that collect that information, and take actions to protect users' privacy in cases where that collection is likely abusing it.
Another interesting characteristic of reseting access to the UA string is that it can allow browsers to apply GREASE to the new values, in order to prevent the negative implications of UA sniffing seen on the web today.
The text was updated successfully, but these errors were encountered: